KR20140018362A - Social network based pki authentication - Google Patents

Abstract

The user device creates a social graph based user entitlement that conveys the trust level to other users of the social network. A user entitlement for a user is obtained, and the user has a user public key and a corresponding user private key. A plurality of potential signers in one or more social networks are identified. The entitlement is then sent to the identified plurality of potential signers. One or more signed versions of the user entitlement may be received from at least some of the plurality of potential signers. The user device may assign a signer weight to each signed version of the user entitlement, and each corresponding signer weight is associated with the signer of each signed version of the entitlement. User entitlement, user signature, one or more signed versions of the user entitlement, and user-assigned signer weights are distributed to one or more recipients.

Description

SOCIAL NETWORK BASED PKI AUTHENTICATION}

This patent application claims priority to US Provisional Application No. 61 / 480,270, entitled "Social Network Based PKI Authentication," filed April 28, 2011, which is hereby expressly incorporated by reference herein. do.

Various features relate to a scalable mechanism that can affect social networks or online communities for authentication and security.

Current trends in poor management and privacy violations of user policies on social networks and online communities are extreme for easier means for authenticating users, encrypting content, and / or authorizing / restricting access to such content. Suggests the need. User-friendly means of organizing and sharing public keys—Identity-based encryption or notions have been designed using, for example, Uniform Resource Identifiers (URIs) as public keys. However, the ability to automatically generate entitlements (or web of trust) does not currently exist. Without this, public-private key pairs do not allow authentication, authorization or non-repudiation. Public Key Infrastructure (PKI) is a hierarchical means of accomplishing this, but cost and scalability prevent it from becoming a facto mechanism. The concept of "web of trust" solves this problem, but it has key-signing parties, etc. that are traditionally required.

As social networks expand, there are opportunities for influencing information here for various purposes. It would be beneficial to provide a scalable mechanism that can affect social networks or online communities for authentication and security.

The first example provides a method operable on a user device for generating social graph based entitlements. A user entitlement for a user of the user device is obtained, where the user is associated with the user public key and the corresponding user private key. User entitlement may also include a user public key. In addition, a plurality of potential signers in one or more social networks are identified. The user entitlement is then sent from the user device to the plurality of potential signers. In response, the user device may receive one or more signed versions of the user entitlement from at least some of the plurality of potential signers. The first signed version of the user entitlement from one or more signed versions of the user entitlement can be signed by the signer using the second private key and can be authenticated using the corresponding second public key.

The identity of at least these signers of the user entitlement, received one or more signed versions of the user entitlement, and / or received one or more signed versions of the user entitlement may then be combined into a composite certificate. Can be. User entitlement, user signature, one or more signed versions of the user entitlement, and one or more user-assigned signer weights may be distributed to one or more recipients.

In addition, the user signature may be generated by signing at least a portion of the composite credential using the user private key. User signatures can be attached to compound credentials.

Generation of the user signature comprises: (a) signing a user credential comprising the identities of the plurality of potential signers identified using the user private key; And / or signing a user entitlement that includes received one or more signed versions of the user entitlement using the user private key.

In addition, signer weights may be assigned to each signed version of the user entitlement, each corresponding signer weight associated with a signer of each signed version of the user entitlement, and the corresponding signer weights also generate a user signature. In order to be signed using the user's private key. In one example, the plurality of potential signers can be identified from contacts derived from an address book or emails for the user.

The identities of the identified plurality of potential signers may be sent from the user device to the plurality of potential signers for signature by one or more of the potential signers, along with the user credentials.

In some examples, a user entitlement time stamp or lifetime indicator may be attached to the user entitlement at the user device prior to distribution to one or more recipients.

In one example, a user-assigned signer weight for each signed version of a user entitlement can be obtained. The user-assigned signer weights for each signed version of the user entitlement can be added to the compound entitlement.

In one implementation, the user-assigned signer weight for each signer may be proportional to the trust relationship between the user and the signer. In a second example, the user-assigned signer weight for each signer may be proportional to the relationship distance between the signer and the user in the social network. In a third example, the user-assigned weight for each signer is at least one of a time-varying weight or a purpose-dependent weight. In a fourth example, the user-assigned weight for each signer is based at least in part on weights received from other users, which are authenticable by the user device. In one example, for signers known to the user, the user-assigned signer weight is determined by the user only, while for signers not known to the user, the user-assigned signer weight is such unknown signers. Based at least in part on the weights provided by the signers known for.

In another implementation, signer-specific weights for each signed version of a user entitlement may be obtained. Signer-specific weights for each signed version of a user entitlement may be added / attached to the compound entitlement. In one example, each signer-specific weight is associated with a corresponding signer. In another example, each signer-specific weight may be generated by at least one of a trusted third party or a community of users.

In a second example, a method is provided that is operable on a receiver device for generating a trust metric for a user. One or more signed versions of a user entitlement signed by one or more signers in the user entitlement and social network, and a composite entitlement including a user signature on the compound entitlement may be received. In one example, the user entitlement can be a user public key.

One or more signed versions of the composite credential and the user credential may be authenticated. A trust metric for a user can be generated based on one or more signers upon successful authentication.

In one implementation, signer weights for each of one or more signers may be received as part of a composite credential. A trust metric for a user may be generated based on received signer weights for one or more signers.

In another implementation, recipient-assigned signer weights may be assigned to each of one or more signed versions of a user entitlement, and each recipient-assigned signer weight corresponds to a signer of each of the signed versions of a user entitlement. do.

In various examples, the confidence metric can be generated based on: (a) a combination of signer weights and receiver-assigned signer weights, or (b) one or more receiver-assigned signer weights.

Authentication of the user entitlement may include applying a user public key to the user signature to verify the authenticity of the signed content in the composite entitlement. Authentication of one or more signed versions of a user entitlement may include applying a signer public key to one or more signed versions of the user entitlement to verify their certificate. In other implementations, one or more signed versions of the user entitlement may be signed by someone other than the user.

1 is a diagram illustrating the concepts of unweighted and weighted social graphs for a social network.
2 is a block diagram illustrating an example of how authentication and / or trust credentials can be generated for a target user.
3 is a block diagram illustrating an example of how authentication and / or trust credentials for a target user can be used by a validating user.
4 (including FIGS. 4A and 4B) illustrates a plurality of social graph-based qualifications for generating and computing trust metrics for a user device based on endorsements by one or more signer devices. A flowchart illustrating the operation of the devices.
5 shows a block diagram of a user device according to an example.
6 illustrates an example of an operation of a user device to facilitate generation of social network based trust metrics.
7 shows a block diagram of an internal structure of a signer device according to an example.
8 shows an example of the operation of a signer device to facilitate the generation of a social network based user entitlement.
9 shows a block diagram of an internal structure of a receiver device according to an example.
10 shows an example of the operation of a recipient device to generate a social network based trust metric for a user.

In the following description, specific details are given to provide a thorough understanding of the embodiments. However, it will be understood by those skilled in the art that embodiments may be practiced without these specific details. For example, circuits may be shown in block diagram form in order to avoid obscuring embodiments in unnecessary detail. In other instances, well-known circuits, structures and techniques may not be shown in detail in order not to obscure the embodiments.

The term "exemplary" is used herein to mean "functioning as an example, illustration or illustration." Any implementation or embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. Likewise, the term "embodiments" does not require that all embodiments include the features, advantages or modes of operation discussed.

summary

In the world of social networks, networks of relationships (called social graphs) can be established between various users or members of the social network. Information unique in the relationships defined within these social networks can be used, for example, to establish different levels of trust between users / members. In one example, the user's / member's extended social relationships can be used to identify a particular level of trust for the user / member. Additionally, some or all of the extended social relationships for that user / member can be weighted to define trust in that relationship. The trust level for the user / member may then be defined based on the weighted or unweighted relationships between the user / member of the social network and other users / members.

According to one feature, a credential for a user / member can be created that conveys a trust level to other users / members of the social network. In one example, the user device can generate a social qualification based user qualification (eg, using social network relationships). A user entitlement for a user is obtained, and the user has a user public key and a corresponding user private key. A plurality of potential signers in one or more social networks are identified. The entitlement is then sent to the identified plurality of potential signers. One or more signed versions of the user entitlement may be received from at least some of the plurality of potential signers. The user device can assign a signer weight to each signed version of the user entitlement, and each corresponding signer weight is associated with the signer of each signed version of the entitlement. One or more signed versions of a user entitlement may be signed using a user private key to generate a user signature. Corresponding signer weights may also be signed using the user private key to generate a user signature. User entitlement, user signature, one or more signed versions of the user entitlement, and / or user-assigned signer weights may be distributed to one or more recipients.

According to another feature, the recipient device can generate a confidence metric for the user (or corresponding user device). The recipient device can obtain a user public key for the user (or associated user device). User entitlements and user signatures may be received that include one or more signed versions of a user entitlement signed by one or more signers in a social network. One or more signed versions of the user signature and user entitlement may be authenticated by the recipient device. For example, the user public key can be applied to the user signature to verify the authenticity of the signed content within the user signature. In addition, the authentication of one or more signed versions of the user entitlement may include applying a signer public key to the signed received entitlements to verify the authenticity of the signed content within the signed received entitlements. .

Upon successful authentication, the recipient device can generate a trust metric for the user (or user device) based on one or more signers. Signer weights for each of one or more signers may be received, and a trust metric for the user is generated based on the received signer weights for one or more signers. Alternatively, recipient-assigned signer weights may be assigned to each of one or more signed versions of the user entitlement, and each receiver-assigned signer weight corresponds to the signer of each of the signed versions of the user entitlement. do. Thus, a confidence metric can be generated based on a combination of signer weights and receiver-assigned signer weights or based only on one or more receiver-assigned signer weights.

Influence social networks / online communities to generate social graphs

Information security is fast becoming important in a shared social world (eg, within social networks and / or online communities). User friendly means of constructing and sharing public keys (eg, identity-based encryption or concept using Uniform Resource Identifiers (URIs) as public keys) have been designed. However, the ability to automatically generate entitlements (or web of trust) does not currently exist. Without this, public-private key pairs do not allow authentication, authorization or non-repudiation. Public Key Infrastructure (PKI) is a hierarchical means of achieving automatic generation of entitlements within social networks or online communities. However, the cost and scalability issues of implementing a PKI prevent the PKI from becoming a de facto security mechanism within social networks and / or online communities. The concept of "web of trust" and PKI implemented on the basis of social network relationships solve this problem. Means for bootstrapping a key signature based on social graphs (eg, relationships within social networks) may be global (eg, via social networks and beyond). It can be very useful to make security accessible and usable on a level. Privacy sensitive or selective sharing of information is considerably simpler to resolve in the presence of this model using network relationships and PKI.

The nature and structure of social networks and / or online communities includes unique information that may help to implement a security / authentication system, such as relationships, credentials for each user, and the like. The "social graph" can be set from information available on social networks or online communities and can serve with security (authentication, encryption, privacy).

1 is a diagram illustrating the concepts of unweighted and weighted social graphs for a social network. The unweighted social graph 102 does not distinguish between several classes or levels of relationships between users of social networks. Target user 104 (eg, an individual or target user device) includes different types of relationships (direct relationships and indirect relationships) with other users (eg, individuals or other user devices). But not limited thereto). Direct relationships may include these relationships with other users that the target user 104 knows directly, while indirect relationships may be such relationships where the target user 104 knows someone based on the relationship with other users. Can include them. The level of trust or weight of the relationship between the users (ie, several classes or levels) is shown here by the size of the node located on the graph. Each node can represent a different user. As can be seen in the unweighted social graph 102, the users 106a, 106b and 106c have a direct relationship with the target user 104. Similarly, in unweighted social graph 102, users 108a, 108b, 108c and 108d have an indirect relationship with target user 104. The relationships from the target user 104 to all direct relationship users 106a, 106b and 106c and to all indirect relationship users 108a, 108b, 108c and 108d are equally weighted (ie, unweighted).

One aspect provides an improvement on unweighted social graphs by using weighted relationships to generate weighted social graphs 103 that can more accurately capture social interactions of users. The weighted social graph 103 shows the same relationships that direct relationship users 106a, 106b and 106c and indirect relationship users 108a, 108b, 108c and 108d have with the target user 104. As can be seen in the weighted social graph 103, the size of the nodes for direct relationship users 106a, 106b and 106c is the size of the nodes for indirect relationship users 108a, 108b, 108c and 108d. And may be different. Specifically, some users may have larger nodes, indicating greater weight (eg, knowing more reliable, better target user 104, etc.). For example, the first user 106a may have a greater weight than the second user 106b (eg, knowing more reliable, better target user 104, etc.). In some cases, indirect relationship third user 108a may even have a greater weight than direct relationship fourth user 106c. That is, some users may be more reliable than others, and in one aspect, may be more trustworthy as the nodes on the weighted social graph 103 become larger.

According to one aspect, the weight of the indirect relationship user may be influenced by the weight assigned or attributed to the direct relationship user linking the indirect relationship user to the target user 104. For example, in the weighted social graph 103, the fifth indirect relationship user 108b is due to its link through the second user 106b which also has a lower weight (relative to the target user 104). ) May have a lower weight. Similarly, third user 108a may have greater weight (relative to target user 104) due to its link through first user 106a which also has greater weight. Thus, the weights of certain users may depend on the weights of intermediate users.

According to another aspect, the weight assigned to each user may be independent of other users. For example, the weight assigned to the third user 108a may be independent of the weights assigned to the first user 106a and / or the second user 106b.

Using the weighted social graph 103, a “social” public key infrastructure (PKI) can be constructed that can serve to authenticate secure access to users and / or information. Such social PKI utilizes social graph structures that are growing on the web and / or the internet. Weighted social graphs make the PKI bootstrap significantly simpler. The weights assigned to each user (e.g. contacts or members of a social network or online community) determine how the target user has met other users, how long they have known each other, and the history (or May be affected by a number of factors including, but not limited to, environments for the types of actions). According to one aspect, the weights assigned to the users may change over time. The change in weights can be influenced by several factors, including but not limited to increased interactions between two users, reduced trust between users and / or conditional trust. have.

Combined authentication and / or trust entitlements for the target user 104 may be generated based on the trust level of the direct and / or indirect relationships and the PKI for the target user and / or other users. These authentication and / or trust credentials, in addition to being conditional and / or unconditional, may be short-lived (e.g., expire after a relatively short period of time or after a single transaction) or long-lived (e.g., For example, it may expire several days, weeks, months or years later). For example, a credential may be a user (e.g., trusted user 104 or other users 106a-c and 108a-d) that only a specific domain (e.g., a domain in which these credentials may be used / trusted). Conditional on whether or not it is trusted. Unconditional qualifications may not be limited to any source and / or in time.

2 is a block diagram illustrating an example of how authentication and / or trust credentials can be generated for a target user. In this example, the target user 204 (eg, user device, node or member) may initially have associated private key Priv-A and public key Pub-A, device / user identifiers, random data, etc. With user credentials, can be signed by the target user (eg, using its private key Priv-A). In a first example, the initial / user credential Cert may be present as Cert = random number. In a second example, the initial / user credential Cert may be present as Cert = Pub-A, ie the public key associated with the target user. In another example, note that the initial / user credential Cert may be signed by the target user 204 prior to distribution to the potential signer, thereby allowing the potential signers to authenticate the target user prior to signing.

The target user 204 sends the initial entitlement to one or more other users (eg, other user devices, nodes or members) to which the target user 204 has direct or indirect social relationships. One or more of the other users 206, 208, 210, 212, 214, 216 and / or 218 receiving the initial / user entitlement Cert directly from the target user 204 may have their own private key. (Eg, Priv-B for User B 206, Priv-C for User C 208, Priv-D for User D 210, Priv-E for User E 212, User Respond by signing the entitlement Cert using Priv-F for F 214, Priv-G for user G 216, and / or Priv-H for user H 218. Whether other users 206, 208, 210, 212, 214, 216 and / or 218 decide to sign an initial / user entitlement Cert for the target user 204 (eg, within a social network It may depend on whether it has a trust relationship with the target user 204 (either directly or indirectly through a social link). Various versions of signed entitlement Certs (eg, Sig _{Priv -B} (Cert), Sig _Priv-C (Cert), Sig _{Priv -D} (Cert), Sig _{Priv -E} (Cert), Sig _{Priv -F} ( Cert), Sig _{Priv- G} (Cert), Sig _Priv-H (Cert)) may be sent to the target user 204.

Thus, the target user 204 may have one or more signed versions of its initial entitlement Cert (eg, Sig _{Priv -B} (Cert), Sig _{Priv -C} (Cert), Sig _{Priv -D} (Cert)). , Sig _{Priv -E} (Cert), Sig _{Priv -F} (Cert), Sig _{Priv -G} (Cert), and Sig _{Priv -H} (Cert) may be obtained or received (220). According to one feature, target user A 204 may assign weights (eg, Wt-AB, Wt-AC, Wt-AD, Wt-AE, Wt-AF, Wt-) to interfaces with responding users. AG and / or Wt-AH) may optionally be assigned. These “interface” weights may be, for example, any one of the specific users 206, 208, 210, 212, 214, 216 and / or 218 to which the target user 204 assigns the weight. It can express the length or type of relationship. For example, a weight (eg, within a range of weights) may be assigned or granted to a user whose target user has a direct relationship rather than an indirect relationship. Similarly, higher weights may be assigned or granted to a user who has known the target user 204 for the longest time as compared to a user who has only recently met the target user 204. In some examples, users that are important by the community or social network may be assigned higher weights by the target user 204 because of these differences or importance.

In other implementations, weights may be assigned to a specific signer (eg, signed user) rather than to an interface between the target user and the signed user. For example, a "user-specific" or "signer-specific" weight (Wt-S) may be generated by a community of users, a trusted third party, and / or a target user, and may be assigned to a particular individual signer (eg, , The signed user).

The target user 204 is then combined or combined with a trust credential (eg, Cert-AT 226) that includes the weights assigned to each signed user and / or signed versions of the credential Cert. A certificate may be generated (224).

In one example, the composite credential Cert-AT may be expressed as follows:

Cert-AT = (Cert, user-A_ID, Pub-A,

User-B_ID, Sig _{Priv- B} (Cert), Wt-AB,

User-C_ID, Sig _{Priv- C} (Cert), Wt-AC,

User-D_ID, Sig _{Priv- D} (Cert), Wt-AD,

User-E_ID, Sig _{Priv- E} (Cert), Wt-AE,

User-F_ID, Sig _{Priv -F} (Cert), Wt-AF,

User-G_ID, Sig _{Priv- G} (Cert), Wt-AG,

User-H_ID, Sig _{Priv- H} (Cert), Wt-AH).

This version of the composite credential Cert-AT may assume that the public keys for the signers of the user credential Cert are known or obtainable by the recipient or authorized person. For example, the public key may already be distributed throughout the network or may be obtained independently by an authorized person, so that the public keys may not be included.

In the example shown in FIG. 2, the composite credential Cert-AT may be expressed as follows:

Cert-AT = (Cert, user-A_ID, Pub-A,

User-B_ID, Sig _{Priv- B} (Cert), Wt-AB, Pub-B,

User-C_ID, Sig _{Priv- C} (Cert), Wt-AC, Pub-C,

User-D_ID, Sig _{Priv- D} (Cert), Wt-AD, Pub-D,

User-E_ID, Sig _{Priv- E} (Cert), Wt-AE, Pub-E,

User-F_ID, Sig _{Priv -F} (Cert), Wt-AF, Pub-F,

User-G_ID, Sig _{Priv- G} (Cert), Wt-AG, Pub-G,

User-H_ID, Sig _{Priv- H} (Cert), Wt-AH, Pub-H).

In this version of the composite credential Cert-AT, the user device may attach public keys for the signers of the user credential Cert.

In another example, the composite credential Cert-AT may be expressed as follows:

Cert-AT = (Cert, user-A_ID, Pub-A,

Sig _{Priv -B} (Cert), Wt-AB,

Sig _{Priv -C} (Cert), Wt-AC,

Sig _{Priv -D} (Cert), Wt-AD,

Sig _{Priv -E} (Cert), Wt-AE,

Sig _{Priv -F} (Cert), Wt-AF,

Sig _{Priv -G} (Cert), Wt-AG,

Sig _{Priv -H} (Cert), Wt-AH,

User-B… User-H, user-I... User-R,

Pub-B… Pub-H).

In this version of the composite entitlement Cert-AT, all user identities for all identified potential signers (ie, User-B… User-H and User-I… User-R) optionally have their corresponding public keys. Are attached to the combined qualification. In this example, users User-I... User-R is unsigned users. In other examples, the identities of all identified potential signers (ie, User-B… User-H and User-I… User-R) may be attached or included as part of the initial / user credential Cert sent to the potential signers. Note that there is.

In another example, the composite credential Cert-AT may be expressed as follows:

Cert-AT = (Cert, user-A_ID, Pub-A,

User-B_ID, Sig _{Priv- B} (Cert), Wt-B,

User-C_ID, Sig _{Priv- C} (Cert), Wt-C,

User-D_ID, Sig _{Priv- D} (Cert), Wt-D,

User-E_ID, Sig _{Priv- E} (Cert), Wt-E,

User-F_ID, Sig _{Priv -F} (Cert), Wt-F,

User-G_ID, Sig _{Priv- G} (Cert), Wt-G,

User-H_ID, Sig _{Priv- H} (Cert), Wt-H).

In this version of the composite entitlement Cert-AT, each weight may be assigned to a specific signer rather than to an interface between the target user and the particular signer (ie, User-B has a weight Wt-B and User-C is a weight). Formula having Wt-C). For example, a community of users, trusted third parties, and / or target users may assign weights to particular individual signers. Note that in some implementations, public keys for at least signers (eg, signing users) can also be included as part of a certificate (Cert-AT). Although various examples herein may be shown using interface weights (eg, between a target user and signer), such weights may be replaced with user-specific weights (eg, signer-specific weights). It should be clear that it can.

In addition, the signature may be generated by the target user on selected portions or portions of the composite credential Cert-AT or the composite credential Cert-AT. For example, in some examples, signatures can exclude public keys for signed users because they are already known. In addition, the inclusion of weights for each signed user may be optional in implementations in which the authorized user assigns his own weights and / or does not consider the weights assigned by the target user 204. For authentication, a composite or combined certificate and trust credential Cert-AT 226 can be signed by the private key Priv-A of the target user 204 to obtain a signed version of the Cert-AT 228. Can be authenticated by the corresponding public key Pub-A.

The target user 204 then presents the credentials 228 as a means for authenticating itself to other users and as a way to provide trust credentials that can be easily verified by these other users. A combined or combined certificate and trust credential Cert-AT 226 may be sent or distributed with a signed version of. For example, recipient users in the social network may be able to verify the signatures of other users of the social network to generate a trust metric for the target user 204.

In one example, weights assigned to other users 206, 208, 210, 212, 214, 216 and / or 218 may be generated in various ways. For example, the weight for the second node (in terms of the first node) may be assigned at the edge or interface between the first and second nodes. The first node may, for example, know, among other factors and / or criteria, how long the first node has known or knows how to relate to the second node, the trust that the first node has with respect to the second node, and / or Alternatively, weights may be assigned to the second node based on trust / relationship with other intermediate nodes.

According to an alternative implementation, the weights may be communicated separately from the composite qualification (eg, out of band). For example, the recipient may receive a compound credential Cert-AT (not including signer weights), and then the signers identified therein from the target user, signers themselves and / or trusted third parties. Can obtain / receive / request weights for.

3 shows how node / user weights can be generated by a target user for other nodes or users. In this example, each node / user can set weights for direct relationships between each other between other nodes / users. For example, target user A 204 assigns weights Wt-AB, Wt-AC, and Wt-AD to direct relationship users 206, 208, and 210, respectively. Similarly, in some implementations, target user A 204 will assign weights Wt-AE, Wt-AF, Wt-AG, and Wt-AH to indirect relationship users 212, 214, 216, and 218, respectively. Can be. In this implementation, target user A 204 may independently check the weight for each of the users (eg, potential signers). For example, target user A 204 may be: (a) an indirect relationship user's own knowledge, (b) a relationship with one or more intermediate users and / or (c) an indirect relationship user Weights may be assigned to indirect relationship users based on " (eg, the number of intermediate hops or nodes).

From the perspective of target user A 204, various weights Wt-AX are set up, generated, and / or assigned to direct or indirect relationships between target user A 204 and other nodes / users X. do. For example, target user A 204 may have direct weights Wt-AB, Wt-AC and Wt-AD for users / nodes B 206, C 208 and D 210 with which it has a direct relationship. You can assign to each. In this example, for indirect relationships, target user A 204 is assigned weights Wt-EB for indirect nodes / users E 212, F 214, G 216 and H 218, Wt-EC, Wt-CF, Wt-CG and / or Wt-DH may be generated respectively.

As shown in Figures 4, 5 and 6, various different methods may be implemented to assign weights for indirect users / nodes to the target user.

4 illustrates a weight allocation method implemented by target user A for both direct and indirect relationship nodes / users. For example, user / node B 206 may have a direct relationship with user / node E 212. In this example, the target user 204 can assign the weight Wt-AB to the direct relationship node / user B 206. Similarly and independent of node / user B, target user A 204 may assign or create a weight Wt-AE for indirect relation node / user E 212. For example, this selection of weights for the indirect relationship node / user E 212 may be prior to dealings between target user A 204 and user / node E 212 and / or in the network. It may be based on the reperation of user / node E 212. In this way, target user A 204 can obtain a weight Wt-BE that it can use to generate a weight Wt-E _A for user / node E 212.

5 illustrates another weighting method implemented by target user A for both direct and indirect relationship nodes / users. In this example, the weight assigned to the indirect user / node can be based at least in part on the weight (s) assigned to the intermediate relationship. For example, user / node B 206 may be an intermediate node / user between target user A 204 and user / node E 212. When assigning weight Wt-AB to node / user B 206, target user 204 is based in whole or in part on the weight assigned to user / node B (ie, Wt-AE = f (Wt-AB)). To assign the weight Wt-AE to the indirect relationship node / user E 212. Alternatively, in another implementation, node / user B 206 may provide or assign weight Wt-BE to node / user E 212, and assign the weight Wt-BE to target user / node A 204. To provide. The target user 204 then determines the weight assigned to user / node B 206 and the weight assigned to node / user E 212 by node / user B 206 (ie, Wt-AE = f ( Wt-AB, Wt-BE) may be assigned a composite weight Wt-AE to indirect relationship node / user E 212 based in whole or in part. When compound weights are provided, a notification / indicator may also be provided to distinguish it from direct weights.

6 illustrates another weighting method implemented by target user A for both direct and indirect relationship nodes / users. In this example, target node / user A 204 assigns weights to other nodes based on its “distance” to the node / user (eg, hops or number of intermediate nodes / users) or Can be generated. For example, user / node B 206 has a weight Wt-AB that is a function of the proximity of node / user A 204 to node / user B 206 (ie, f (distance to node B)). Can be assigned. In this example, node / user B 206 is only one hop away from target user / node A 204. Similarly, user / node E 212 has a weight Wt− that is a function of proximity or indirect relationship from node / user A 204 to node / user E 212 (ie, f (distance to node E)). AE may be assigned. In this example, node / user E 212 is two hops away from target user / node A 204.

Note that other methods for assigning weights to nodes / users can be implemented and are considered within the scope of the present disclosure. In some examples, two or more of the techniques shown in FIGS. 4, 5, and / or 6 may be combined to assign / create user / node weights.

7 is a block diagram illustrating an example of how authentication and / or trust credentials for a target user can be used by an authorized user. In this example, the target user 702 sends its certificate and trust credential Cert-AT 704 to the authorized user 706. For example, the target user 702 may be seeking to acquire some data or perform a transaction with an authorized user 706. Alternatively, the target user 702 may be seeking to conduct a transaction with another user who is using the authorized user 706 for some data acquisition or authentication and / or trust generation services.

In this example, the certificate and / or trust composite credential Cert-AT 704 may include a target user credential Cert, a target user identifier user-A_ID, and a target user public key Pub-A. In addition, the composite credential Cert-AT 704 also assigns signed users (e.g., User-B_ID, User-C_ID, User-D_ID, User-E_ID, User-F_ID, User-G_ID, User-H_ID). User identifiers / identities for the user, signed versions of the user credential Cert signed by these users (eg, Sig _{Priv -B} (Cert), Sig _{Priv -C} (Cert), Sig _Priv-D (Cert ), Sig _{Priv -E} (Cert), Sig _{Priv -F} (Cert), Sig _{Priv -G} (Cert), Sig _{Priv -H} (Cert)), (optional) (assigned by the target user 704) In addition to the weights for each signed user, the public key for each signed user (e.g., Pub-B, Pub-C, Pub-D, Pub-E, Pub-F, Pub-G, Pub-H). In some examples, versions of a user entitlement Cert signed by other users (eg, Sig _{Priv -B} (Cert), Sig _Priv-C (Cert), Sig _{Priv -D} (Cert), Sig _{Priv -E} (Cert), Sig _{Priv -F} (Cert), Sig _{Priv -G} (Cert), Sig _{Priv -H} (Cert) may be understood or implied in the form of a sponsor or endorsement of the target user 702. .

Upon receipt of a certificate and / or trust composite credential Cert-AT 704, the authorized user 706 will authenticate the composite credential Cert-AT, ie, using the public key Pub-A associated with the target user 702. Can be. Authorized user 706 is also responsible for, for example, signing users (eg, User-B, User-C, User-D, User-E, User-F, User-G, and User-H). Signed versions of the user entitlement Cert using public keys (e.g., Pub-B, Pub-C, Pub-D, Pub-E, Pub-F, Pub-G, and Pub-H) (e.g., , Sig _{Priv -B} (Cert), Sig _Priv-C (Cert), Sig _{Priv -D} (Cert), Sig _{Priv -E} (Cert), Sig _{Priv -F} (Cert), Sig _{Priv -G} (Cert), Sig _{Priv -H} (Cert)) can authenticate one or more. Authorized user 706 also uses target user _A (Certificate Sig _{Priv -A} (Cert-AT) 716) signed using the target user 702's public key Pub-A. 702 may be authenticated. Once the authentication and / or trust composite credential Cert-AT 714 is successfully authenticated, the authorized user 706 may proceed with the generation or computing of a trust metric for the target user 702.

In some implementations, the trust metric (Metric A 718) can be used to sign the users of the certificate and trust entitlement Cert-AT 714 for the target user 702 (eg, User-B, User-C, One or more weights (eg, Wt-AB, Wt-AC, Wt-AD, Wt-AE, Wt) for User-D, User-E, User-F, User-G, and User-H -AF, Wt-AG, Wt-AH) can be computed or generated as a function f. The function combines one or more weights (eg, Wt-AB, Wt-AC, Wt-AD, Wt-AE, Wt-AF, Wt-AG, Wt-AH) to combine the metric (Metric A (718) )).

In another implementation, authorized user 706 may have signed signed users (eg, User-B, User-C, User-D, User-E) who signed Cert-AT 714. , User-F, user-G, and user-H) (eg, Wt-AB ', Wt-AC', Wt-AD ', Wt-AE', Wt-AF ', Wt) -AG ', Wt-AH') can be allocated (710). This allows the authorized user to decide solely which users should be given greater weight. The weights assigned by the authorized user 706 can then be used to generate or compute a confidence metric (Metric-A '720) for the target user 702.

In another implementation, multiple sets of weights may be combined to generate a confidence metric (Metric-A '722) for the target user 702. For example, weights assigned by authorized and target users for signed users may be combined to obtain a confidence metric. In another example, for signers known to the target user, the target user-assigned signer weights are determined solely by the target user, while the user-assigned signer weights for signers not known to the target user are such known. It is based at least in part on weights provided by known signers for those who are not.

In some implementations, a user entitlement time stamp or lifetime indicator can be attached to the entitlement Cert-AT at the target user device prior to distribution to one or more recipients.

FIG. 8 (including FIGS. 8A and 8B) illustrates the operation of a plurality of devices to generate a social graph based entitlement and compute trust metrics for a user device based on endorsements by one or more signer devices. It is a flowchart showing the. The user (user device 802) is signed by one or more signers (signer device 804) and is entitled to be used by one or more recipients (receiver device 806) by the user for authentication. Can have In addition, the recipient (approved) device 806 can compute a trust metric associated with the signer device 804 for the user device 802 based on various different factors as described in more detail below.

For illustration purposes, in FIG. 8, a user entitlement Cert is being used to provide to other users. However, one implementation may use a Pretty Good Privacy (PGP) type approach and may use the user's public key as an entitlement Cert. Since the user's public key can only be used to authenticate a signature that was generated using the user's corresponding private key, there is a degree of security in this manner as only a person holding the private key can generate a signature. do. Also, since the user's entitlement is used only as a vehicle for collecting signatures from other users, its value may be irrelevant as long as the entitlement can be authenticated.

The user device 802 may generate or obtain a credential 808. For example, a credential can be obtained from a trusted third party certificate authority. Next, the user device 802 can obtain or generate a user public / private key pair that includes a user public key (Pub-U) and a corresponding user private key (Priv-U) (810). Potential signers may be identified 812 from one or more social networks to which the user device is a member. Social networks may include, but are not limited to, Facebook®, Linkedin®, Flickr®, and Bebo®. Once potential signers are identified, entitlement for one or more of the potential signers can be sent from the user device 802 to the signer devices 804 (814). Each signer device 804 receiving the entitlement may generate or obtain (816) a signer public / private key pair consisting of a signer public key (Pub-S) and a corresponding signer private key (Priv-S). . Using its private key of the signer (Priv-S), each of the signatory device may Signature _{(Sig Priv -S (Cert))} (818) eligibility, the qualified signature (Sig _{Priv -S} (Cert)) May be transmitted to the user device (820). Optionally, the signer device 804 can also send its public key (Pub-S) or its user / device identifier (signer ID) in addition to the signed credentials (Sig _{Priv -S} (Cert)).

The user device 802 may then receive one or more signed credentials (Sig _{Priv -S} (Cert) _{S = 1 ... i} ), where S = original from the user device. The number of potential signers who received the entitlement. Next, the user device 802 can assign the user weight W _S to each of the signed credentials Sig _{Priv- S} (Cert) _{S = 1 ... i} received from the signer devices (824). ). The user (signer) weights W _S assigned to each signer determine how the user and signer got to know, how long the user knew the signer, and the environment for the history and types of interactions between the user and the signer. May be affected by a number of factors (eg, but not limited to) that may be collected from, for example, social network connections. After the user weight is assigned, the received credentials Sig _{Priv -S} (Cert) _{S = 1 ... i} are signed by the user device using the user private key (Priv-U) to obtain a user signature. (Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = ... i} , Pub-S, W _i )) 826. Note that other information may also be signed using a user key (Priv-U) that includes user weights W _S and / or signer identifier or signer public keys Pub-S.

The user device 802 then checks the original credential (Cert), received signed credentials (Sig _{Priv- S} (Cert) _{s = 1 ... i} ), signer public key (Pub-S), user- Receive assigned device weights (W _S ) and / or user signatures (Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = 1 ... i} , Pub-S, W _S )) Distribute to 806 (828).

Optionally, the recipient device 806 can independently generate or obtain a user public key (Pub-U) and a signer public key (Pub-S) 830. Next, the receiver device 806 uses the user public key (Pub-U) to sign the user (Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = 1 ... i} , Pub-S, W _S ). May be verified / certified (832). The receiver device 806 then verifies each of the received credentials Sig _{Priv- S} (Cert) _{S = 1 ... i} signed by the signer devices using the signer public keys Pub-S. May be 834.

Once the user signature (Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = ... i} , Pub-S, W _S )) and signed versions of the user entitlement (Sig _{Priv -S} (Cert) _{S = 1} / _i ) verification / certification occurs, the receiver device 806 assigns its own recipient-assigned to each signed user credential (Sig _{Priv- S} (Cert) _{s = 1 ... i} ). Signer weight W _R may be selectively assigned (836). Upon successful authentication (steps 832 and 834), the recipient device 806 is based on user-assigned signer weights W _S and / or receiver-assigned signer weights W _R 838. Trust metrics can be computed.

Example user device  And its actions

9 illustrates a block diagram of a user device 900 according to an example. User device 900 may include processing circuitry 902 (eg, one or more processors, processing modules, sub-circuits) coupled to memory / storage device 904 and / or communication interface 906. And the like). Memory / storage device 904 may serve to store public / private keys 914 and one or more signed / unsigned credentials 916. The communication interface 906 (including, for example, transmitter circuitry and / or receiver circuitry) may comprise the user device 900, for example, where the user device 900 is part of other devices in a social network and / or online community. And / or communicatively couple to a wireless communication network 908 that enables communication and / or communication with other devices.

According to one aspect, the memory / storage device 904 may store one or more operations or instructions 912, wherein the one or more operations or instructions 912 are stored by the processing circuit 902. When executed, it causes the processing circuitry to generate social network based qualifications.

In addition, the processing circuit 902 may execute these operations / instructions stored in the memory / storage device 904. For example, the processing circuit is:

(a) obtain a user public key Pub-U and a corresponding user private key Priv-U;

(b) obtain a user certificate (Cert) (eg, Cert = user public key or Cert from a trusted third party certification authority);

(c) identify potential signers from one or more social networks; And / or

(d) Distribute User Certificates to Potential Signers.

In response to the distribution of the user certificate (Cert), the user device 900 is:

(a) receive one or more signed versions of Sig _Priv-S (Cert) _{S = 1 ... i} from other users;

(b) assign a weight W _S to each user who signs the user entitlement; And / or

(c) Sign the composite Cert = Sig _{Priv -U} (Cert, Sig _{Priv -S} (Cert) _{S = 1 ... i} , Pub-S, W _S ).

The user device 900 then performs, among other parameters, the user Cert, along with the composite user signature Sig _Priv-U (Sig _{Priv- S} (Cert) _{S = 1 ... i} , Pub-S, W _S ). One or more signed versions of the user entitlement Sig _{Priv -S} (Cert) _{S = 1 ... i} , and a composite entitlement including user-assigned signer weights and _S (eg certificate and trust entitlement) Cert-AT) can be distributed.

According to another example, the processing circuit 902 is a credential generator 920 adapted to generate its user credential Cert and / or a composite user credential (eg, based on social network contributions), social network—signing thereto. User entitlement is sent for retrieving / selecting potential signers from potential signer selector 922, signer weight generator 922 adapted to assign weights to those signers that transmit signed user entitlements to a user device. And / or a signed credential accumulator 924 that receives signed user credentials from potential signers. Such circuits may be combined with or alone with information available from the memory / storage device 904 and / or other circuits of the processing circuit 902, such as social network based multi-user entitlement (eg, combined authentication and Functions and / or steps to create a trust credential).

10 illustrates an example of an operation of a user device to facilitate generation of social network based trust metrics. The user device may acquire a user entitlement for the user of the user device, where the user is associated with the user public key (Pub-U) and the corresponding user private key (Priv-U) (1002). In one example, the user entitlement can be a user public key. Alternatively, user credentials may be obtained from a trusted third party certification authority. Next, the user device can identify 1004 a plurality of potential signers in one or more social networks. For example, the plurality of potential signers may be identified from contacts derived from emails and / or address book for the user. Social Networks Social networks may include, but are not limited to, Facebook®, Linkedin®, Flickr®, and Bebo®. Once potential signers are identified, a signer credential (eg, user public key) can be sent to the plurality of potential signers identified from the user device (1006). Next, the user device may receive 1008 one or more signed versions of a user credential (Sig _{Priv -S} (Cert)) from at least some of the plurality of potential signers. The signed version of the user credential Cert can be signed using a signer private key (Priv-S) associated with the potential signer who received the user credential. Once signed versions of the user entitlement are received, the user device may interface-specific and / or signer-specific weights and _{S to} each received signed version of entitlement Sig _{Priv -S} (Cert) _{S = 1 ... i} . Can be assigned / obtained 1010, and the signer weight W _S corresponds to the signer of each received signed version of the user entitlement. The interface-specific weights may correspond to the relationship between the user and the signer. In various examples, the signer weights (eg, user-assigned signer weights) for each signer may be (a) a trust relationship between the user and the signer, and / or (b) a relationship between the signer and the user in the social network. It can be proportional to the distance. Signer-specific weights may be associated with a particular signer rather than a specific relationship between a user (target) and the signer. Signer-specific weights may be generated by at least one of a trusted third party or a community of users.

The user device then converts the identity and / or signer weights of the user entitlement, the received one or more signed versions of the user entitlement, the at least one signer weights of the received one or more signed versions of the user entitlement into a composite entitlement. Can be combined (1012).

Next, the user device may generate 1014 a user signature by signing all or part of the composite credential. In one example, the user signature can be the public key for the signers on the received signed versions of the user entitlement and / or the user-assigned signer weights W _S are weighted using the user private key (Priv-U). (Eg, Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = 1 ... i} , Pub-S, W _S ).

The user device is then one of the compound entitlements (eg, user entitlement, user signature Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = 1 ... i} , Pub-S, W _S ), one of the user entitlements. Or two or more signed versions Sig _{Priv- S} (Cert) _{S = 1 ... i} and / or user-assigned signer weights W _S (and possibly other parameters)) May be distributed to (1016).

Example signer device  And its actions

11 shows a block diagram of an internal structure of signer device 1100 according to an example. Signer device 1100 (e.g., authorized user and / or device) may include processing circuitry (e.g., processor, processing module, etc.) coupled to memory / storage device 1104 and communication interface 1106. 1102). The communication interface 1106 (e.g., comprising transmitter circuitry and / or receiver circuitry) may include a signer device 1100 such that the signer device 1100 is part of other devices in a social network and / or online community. And / or communicatively couple to a wireless communication network 1108 that enables and / or communicates with other devices. The memory / storage device 1104 may include one or more operations (commands) for signing 1112 the received user entitlement and sending the signed user entitlement back to the user, where the signed user Qualifications ultimately become part of social network-based qualifications for users.

Processing circuit 1102 is:

(a) obtain a signer public key (Pub-S) and a corresponding signer private key (Priv-S);

(b) receive a user certificate (Cert) from the user;

(c) Sign the user Cert with Signer Private Key: Priv-S = Sig _{Priv -S} (Cert); And / or

(d) Implement operations stored in memory / storage device 1104 to send a signed version of the user entitlement (Sig _{Priv- S} (Cert)) and (potentially) Pub-S or signer identifier to the user.

According to another example, the processing circuit 1102 may include a credential verifier 1120 that is adapted to verify / authenticate a received user credential, such that the user of the received user credential (eg, via a direct or indirect social link) signer device. A user verifier 1122 adapted to verify that it is known at 1100 and / or a credential signer 1124 adapted to sign the received user entitlement. These circuits, in combination with or alone with information available from the memory / storage device 1104 and / or other circuits of the processing circuit 1102, are functions to assist in the generation of social network based trust metrics for the user. And / or steps may be performed.

12 shows an example of the operation of a signer device to facilitate the creation of a social network based user entitlement. The recipient device may generate or obtain a signer private key (Priv-S) and a corresponding signer public key (Pub-S) (1202). The recipient device may also receive a user entitlement associated with the user of the social network (1204). The recipient device may (optionally) authenticate the user entitlement (1206) and / or verify the direct or indirect relationship of the user entitlement with the user (1208). If this authentication and / or verification is successful, the signer device can sign the received user entitlement using its private key (Priv-S) (1210) and return the signed user entitlement to the user (1212). .

Example Recipient device  And its actions

13 shows a block diagram of an internal structure of a receiver device 1300 according to an example. Receiver device 1300 (e.g., authorized user and / or device) includes processing circuitry (e.g., processor, processing module, etc.) coupled to memory / storage device 1304 and communication interface 1306. 1302). Receiver communication interface 1306 (including, for example, transmitter circuitry and / or receiver circuitry) provides a receiver device 1300, for example, where the receiver device 1300 is a device in a social network and / or online community. May be adapted to communicatively couple to a wireless communication network 1308 to be part of and / or communicate with other devices. The memory / storage device 1304 is for verifying social network based entitlements (1312), generating social network based trust metrics (1318), and storing (1314) one or more public and / or private keys. One or more operations (instructions) and one or more qualifications 1316.

The processing circuit 1302 is:

(a) obtaining public keys Pub-U and Pub-S (eg, associated with other users in the social network);

(b) receive the composite credential and the user signature (eg, on the composite credential including the user credential for the first user but signed by other users);

(c) verify / certify user signature Sig _{Priv- U} (Sig _{Priv- S} (Cert) _{S = 1 ... i} , Pub-S, W _S );

(d) verify / certify signed versions Sig _{Priv- S} (Cert) _{S = 1 ... i} of the user entitlement;

(e) possibly assigning weights W _R to the signers of the user qualification; And / or

(f) a user-assigned signer weights W _S and / or recipient-assigned signer weight to W _R (at least partially) on the basis of the operation stored in the memory / storage device 1304 to generate a confidence metric for the user Can be implemented.

According to another example, the processing circuit 1302 may be a credential verifier 1320 adapted to verify a user credential and / or a composite credential (eg, based on social network contributions); Signer weight generator 1322 and / or user weights assigned by the first user in their composite user entitlement and / or user weights assigned by the receiver device adapted to assign weights to those signers who contributed And a trust metric generator 1324 that generates a trust metric for the first user based on the result. These circuits, in combination with or alone with information available from the memory / storage device 1304 and / or other circuits of the processing circuit 1302, are capable of generating a social network based trust metric for the first user. And / or steps may be performed.

14 illustrates an example of an operation of a recipient device to generate a social network based trust metric for a user. The recipient device may generate or obtain a user public key (Pub-U) and a signer public key (Pub-S) (1402). Next, the recipient device receives the user certificate (Cert), one or more signed versions of the user certificate signed by one or more signers in the social network Sig _{Priv -S} (Cert) _{S = 1 ... i} The composite credential may be received (1404), including the user signature on corresponding user-assigned signer weights and _S and / or the composite credential (in whole or in part) assigned by the user. For example, the user signature Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = 1 ... i} ) may be one or more signed versions of the user entitlement (Sig _{Priv -S} (Cert) _{S = 1. ..i} ). The recipient device may then authenticate one or more signed versions of the composite credential and the user credential (1406). For example, the composite credential can be authenticated based on the user signature Sig _{Priv -U} (Sig _{Priv -S} (Cert) _{S = 1 ... i} ) using the user public key. Similarly, one or more signed versions of the user credential Sig _{Priv- S} (Cert) _{S = 1 ... i} may be authenticated using the corresponding signer public key.

Optionally, the recipient device can assign a recipient weight to each signed version of the user entitlement (1408), and the recipient-assigned signer weight corresponds to the signer of each signed version of the user entitlement. If authentication is successful, a trust metric for the user may be computed based on one or more signers (eg, user-assigned signer weights and / or recipient-assigned signer weights) (1410). .

Key signature

A given user entitlement may be signed by any number of other users (signers) that make up the user's social graph. In this system, to generate a trust metric for a user, user entitlement is used as a vehicle for obtaining or collecting signatures from other users (signers) in the social network, and corresponding to other users (signers). Note that these signatures can be used with weights. Thus, the entitlement itself can be anything uniquely associated with a user. For example, in one example, a credential can be a user's public key that can be signed by other users (signers) (eg, the public key is being used as a user credential). In this sense, the signature of the user's public key is similar to a Pretty Good Protection (PGP) system.

In practical systems, the number of levels a signer can be removed from a user can be limited by the size and / or structure of the social graph and can serve (at least in part) when assigning weights for the signer to the user. Can be.

A weight may be assigned to the signature that corresponds to the link between the user and the signer (other users). For example, if a user is directly linked to that signer, higher weights may be assigned to the signer. If a user is only indirectly linked to different signers, a correspondingly lower weight may be assigned to different signers. As the interaction between two users increases or decreases (eg, in response to changing social graph node locations), these assigned weights can be adjusted dynamically (eg, over time). , Time varying weights).

Also, different weights may be applied to different signers based on the purpose of the key (eg, purpose-specific weights). In addition, different weights may be applied to the same signer based on the purpose for which the key is being used. For example, to use secure communication or to allow for sharing of privacy sensitive information, the process of key signing can be initiated by the user. Prompts / requests for signatures may be automated by the system using a weighted social graph, or the user may be required to select other users in the social graph based on preferences.

Purpose-specific public keys

According to one aspect, a user may have a plurality of different purpose-specific (eg, purpose-specific) public keys. In one example, Alice can have multiple public keys corresponding to her professional and social identities. The signature for these cases can be handled in the true sense by generating domain-specific interaction graphs such as job-specific graphs and social graphs. Alternatively, the signature can be handled by weighting nodes (signers) associated with a particular purpose of the key higher than other nodes (signers). For example, Alice's career identity can weight signatures from her coworkers (signers) that are higher than her friends' signatures. The weights can be dynamically adjusted based on the ongoing interactions and intersections of various domain specific nodes or graphs, i.e., if the signature is from someone Alice knows at work as well as socially interacting with, the particular node (signer) It can be understood that weighting the signature of) lower.

receiver  Based weighting and trust metrics

If this system is not based on a globally trusted global PKI, the trust level can be a complex combination of signers and recipient (s). That is, for example, if the recipient trusts the first signer more, the recipient can trust the signature for the target user's credentials from the first signer than from the second signer. On the other hand, the second signer may know / better known to the target user. In one aspect, two sets of weights (ie, user-assigned signer weights and receiver assigned signer weights) may be used for the receiver for computing the confidence metric. Key owner weights (also referred to as user-assigned allocator weights) and key recipient weights (also referred to as receiver-assigned signer weights) apply to a given entitlement signer (ie, the signer of a version of the user entitlement). Can be used. The recipient may apply the recipient-assigned signer weights in conjunction with or independently of the user-assigned signer weights to compute a confidence metric for the user.

Applicability

In addition to facilitating basic authentication and encryption on social networks in a fairly simplified manner, this mechanism allows estimation of the trust metric at settings that are not fully known. For example, potential employers looking at a profile on Linkedin® may apply higher weights to signers used by them and trusted by them as experts in the art. Such applications can open the possibilities of confidence metrics in electronic interactions that are typically only feasible in human interactions. The weights can be designed as tunable parameters that can be specified by the end user of the system or applications to dynamically derive confidence metrics useful to them.

One or more of the components, steps, features and / or functions shown in the figures may be rearranged and / or combined into a single component, step, feature or function, or some components, steps or functions It can be implemented as. Additional elements, components, steps and / or functions may also be added without departing from the novel features disclosed herein. The apparatus, devices, and / or components shown in the figures may be configured to perform one or more of the methods, features, or steps described in the figures. In addition, the novel algorithms described herein may be efficiently implemented in software and / or embedded in hardware.

It is also noted that the embodiments may be described as a process that is depicted as a flowchart, flow chart, structure diagram or block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed simultaneously or concurrently. In addition, the order of the operations may be rearranged. The process ends when its operations complete. Processes may correspond to methods, functions, procedures, subroutines, subprograms, and the like. When a process corresponds to a function, its termination corresponds to the return of the function to the calling function or the main function.

Moreover, storage media may include read-only memory (ROM), random access memory (RAM), magnetic disk storage media, flash memory devices, and / or other machine readable media for storing information, processor readable media, and / or Or one or more than one for storing data including computer readable media. The terms “machine readable medium”, “computer readable medium” and / or “processor readable medium” may refer to non-transitory media such as portable or fixed storage devices, optical storage devices and instruction (s) and And / or various other media capable of storing, containing or conveying data. Thus, the various methods described herein may be stored in “machine readable medium”, “computer readable medium” and / or “processor readable medium” and may include one or more processors, machines, and / or devices. It may be implemented in whole or in part by instructions and / or data that can be executed by them.

In addition, embodiments may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments for performing the necessary tasks may be stored on a machine readable medium, such as a storage medium or other storage (s). The processor can perform the necessary tasks. A code segment can represent a procedure, function, subprogram, program, routine, subroutine, module, software package, class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or hardware circuit by conveying and / or receiving information, data, arguments, parameters or memory contents. Information, argument parameters, data, etc. may be communicated, forwarded or transmitted via any suitable means, including memory sharing, message delivery, token delivery, network transmission, and the like.

The various illustrative logic blocks, modules, circuits, elements, and / or components described in connection with the examples disclosed herein may be general purpose processors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programs. It may be implemented or performed in a possible gate array (FPGA) or other programmable logic component, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but, in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing components, eg, a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration. .

The algorithms or methods described in connection with the examples disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two in the form of a processing unit, programming instructions, or other directions. It may be included in a single device or distributed across multiple devices. The software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art can do. The storage medium may be coupled to the processor such that the processor can read information from and write information to the storage medium. Alternatively, the storage medium may be integrated into the processor.

Those skilled in the art will appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein may be implemented in electronic hardware, computer software, or a combination of both. It will further be appreciated that it can be implemented as. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented in hardware or software depends on the particular application and design constraints imposed on the overall system.

Various features of the invention described herein may be implemented in different systems without departing from the invention. It should be noted that the above embodiments are merely examples and are not to be construed as limiting the invention. The description of the embodiments is intended to be illustrative rather than limiting in scope of the claims. As such, the present teachings can be readily applied to other types of apparatuses, and many alternatives, modifications, and variations will be apparent to those of ordinary skill in the art.

Claims (49)

A method operable on a user device for generating social graph based qualifications, the method comprising:
Obtaining a user entitlement for a user of the user device, wherein the user is associated with a user public key and a corresponding user private key;
Identifying a plurality of potential signers in one or more social networks;
Transmitting the user entitlement from the user device to the plurality of potential signers;
Receiving at the user device one or more signed versions of the user entitlement from at least some of the plurality of potential signers; And
Combining the identity of at least these signers of the user entitlement, the received one or more signed versions of the user entitlement, and the received one or more signed versions of the user entitlement into a composite certificate; Including,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
Generating a user signature by signing at least a portion of the composite credential using the user private key; And
Attaching the user signature to the composite credential,
A method operable on a user device for generating social graph based entitlements. 3. The method of claim 2,
Generating the user signature,
Signing the user entitlement comprising the identities of the identified plurality of potential signers using the user private key; or
Signing the user entitlement comprising the received one or more signed versions of the user entitlement using the user private key;
A method operable on a user device for generating social graph based entitlements. The method of claim 3, wherein
Assigning a signer weight to each signed version of the user entitlement,
Each corresponding signer weight is associated with the signer of each signed version of the user entitlement,
Corresponding signer weights are also signed using the user private key to generate the user signature,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
The plurality of potential signers are identified from contacts derived from an address book or emails for the user,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
Transmitting the identities of the plurality of potential signers identified with the user entitlement from the user device to the plurality of potential signers for signature by one or more of the potential signers,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
The user entitlement includes the user public key,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
The first signed version of the user entitlement from one or more signed versions of the user entitlement is signed by a signer using a second private key and is authenticable using a corresponding second public key,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
Further distributing the user entitlement, the user signature, one or more signed versions of the user entitlement, and one or more user-assigned signer weights to one or more recipients,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
Attaching the user entitlement time stamp or life indicator to the user entitlement at the user device prior to distribution to one or more recipients,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
Obtaining a user-assigned signer weight for each signed version of the user entitlement; And
Adding the user-assigned signer weights for each signed version of the user entitlement to the composite entitlement,
A method operable on a user device for generating social graph based entitlements. The method of claim 11,
Wherein the user-assigned signer weight for each signer is proportional to the trust relationship between the user and the signer,
A method operable on a user device for generating social graph based entitlements. The method of claim 11,
Wherein the user-assigned signer weight for each signer is proportional to the relationship distance between the signer and the user in a social network,
A method operable on a user device for generating social graph based entitlements. The method of claim 11,
Wherein the user-assigned weight for each signer is at least one of time varying weights or purpose-specific weights,
A method operable on a user device for generating social graph based entitlements. The method of claim 11,
The user-assigned weight for each signer is based at least in part on weights received from other users and is authenticable by the user device,
A method operable on a user device for generating social graph based entitlements. The method of claim 11,
For signers known to the user, the user-assigned signer weight is only determined by the user, while for signers not known to the user, the user-assigned signer weight is not known to the user. Based at least in part on the weights provided by the signers known for the signers,
A method operable on a user device for generating social graph based entitlements. The method of claim 1,
Obtaining a signer-specific weight for each signed version of the user entitlement; And
Adding the signer-specific weight for each signed version of the user entitlement to the composite entitlement,
A method operable on a user device for generating social graph based entitlements. The method of claim 17,
Each signer-specific weight is associated with a corresponding signer,
A method operable on a user device for generating social graph based entitlements. The method of claim 17,
The signer-specific weight is generated by at least one of a trusted third party or a community of users,
A method operable on a user device for generating social graph based entitlements. As a user device,
A communication interface for communicating via a communication network; And
And a processing circuit coupled to the communication interface,
The processing circuit comprising:
Obtain a user entitlement for a user of the user device, the user associated with a user public key and a corresponding user private key;
Identify a plurality of potential signers in one or more social networks;
Send the user entitlement from the user device to the plurality of potential signers;
Receive at the user device one or more signed versions of the user entitlement from at least some of the plurality of potential signers; And
Adapt to combine the identity of at least these signers of the user entitlement, the received one or more signed versions of the user entitlement, and the received one or more signed versions of the user entitlement into a composite certificate felled,
User device. 21. The method of claim 20,
The processing circuit comprising:
Generate a user signature by signing at least a portion of the composite credential using the user private key; And
Further adapted to attach the user signature to the composite credential,
User device. 22. The method of claim 21,
The processing circuit comprising:
Sign the user entitlement comprising the identities of the identified plurality of potential signers using the user private key; or
Further adapted to sign the user entitlement comprising the received one or more signed versions of the user entitlement using the user private key;
User device. 22. The method of claim 21,
The processing circuit comprising:
Further adapted to assign a signer weight to each signed version of the user entitlement,
Each corresponding signer weight is associated with the signer of each signed version of the user entitlement,
Corresponding signer weights are also signed using the user private key to generate the user signature,
User device. 21. The method of claim 20,
The processing circuit comprising:
Further adapted to transmit the identities of the plurality of potential signers identified with the user entitlement from the user device to the plurality of potential signers for signature by one or more of the potential signers,
User device. As a user device,
Means for obtaining a user entitlement for a user of the user device, wherein the user is associated with a user public key and a corresponding user private key;
Means for identifying a plurality of potential signers in one or more social networks;
Means for transmitting the user entitlement from the user device to the plurality of potential signers;
Means for receiving at the user device one or more signed versions of the user entitlement from at least some of the plurality of potential signers; And
To combine the identities of at least these signers of the user entitlement, the received one or more signed versions of the user entitlement, and the received one or more signed versions of the user entitlement into a composite certificate; Means,
User device. The method of claim 25,
Means for obtaining a user-assigned signer weight for each signed version of the user entitlement; And
Means for adding the user-assigned signer weight for each signed version of the user entitlement to the compound entitlement,
User device. A processor readable medium having one or more instructions operable at a user device, the processor readable medium comprising:
When the one or more instructions are executed by one or more processors, the one or more processors cause:
Acquire a user entitlement for a user of the user device, the user associated with a user public key and a corresponding user private key;
Identify a plurality of potential signers in one or more social networks;
Send the user entitlement from the user device to the plurality of potential signers;
Receive at the user device one or more signed versions of the user entitlement from at least some of the plurality of potential signers; And
Combine the identity of at least these signers of the user entitlement, the received one or more signed versions of the user entitlement, and the received one or more signed versions of the user entitlement into a composite certificate ,
Processor Readable Media. 28. The method of claim 27,
When executed by one or more processors, the one or more processors cause:
Obtain a user-assigned signer weight for each signed version of the user entitlement; And
Further having one or more instructions operable at the user device to add the user-assigned signer weight for each signed version of the user entitlement to the compound entitlement,
Processor Readable Media. A method operable on a receiver device for generating a trust metric for a user, the method comprising:
Receiving at the recipient device a composite credential comprising one or more signed versions of the user credential signed by one or more signers in a user credential and social network and a user signature on the composite credential;
Authenticating one or more signed versions of the composite entitlement and the user entitlement; And
Generating a trust metric for the user based upon the one or more signers upon successful authentication,
A method operable on a receiver device for generating a trust metric for a user. 30. The method of claim 29,
The user entitlement is a user public key,
A method operable on a receiver device for generating a trust metric for a user. 30. The method of claim 29,
Receiving signer weights for each of the one or more signers as part of the composite entitlement,
A method operable on a receiver device for generating a trust metric for a user. 32. The method of claim 31,
A confidence metric for the user is generated based on received signer weights for the one or more signers,
A method operable on a receiver device for generating a trust metric for a user. 30. The method of claim 29,
Assigning a recipient-assigned signer weight to each of one or more signed versions of the user entitlement,
Each recipient-assigned signer weight corresponds to a signer of each of the signed versions of the user entitlement,
A method operable on a receiver device for generating a trust metric for a user. 34. The method of claim 33,
Generating the trust metric based on a combination of the signer weights and the recipient-assigned signer weights;
A method operable on a receiver device for generating a trust metric for a user. 34. The method of claim 33,
Generating a trust metric for the user based on the one or more recipient-assigned signer weights,
A method operable on a receiver device for generating a trust metric for a user. 30. The method of claim 29,
Authenticating the user entitlement comprises applying a user public key to the user signature to verify the authenticity of the signed content in the composite entitlement;
A method operable on a receiver device for generating a trust metric for a user. 30. The method of claim 29,
Authenticating one or more signed versions of the user entitlement includes applying a signer public key to one or more signed versions of the user entitlement to verify their authenticity;
A method operable on a receiver device for generating a trust metric for a user. 30. The method of claim 29,
One or more signed versions of the user entitlement are signed by someone other than the user,
A method operable on a receiver device for generating a trust metric for a user. As the receiver device,
A communication interface for communicating via a communication network; And
And a processing circuit coupled to the communication interface,
The processing circuit comprising:
Receive at the recipient device a composite credential comprising one or more signed versions of the user credential signed by one or more signers in the user credential and social network and a user signature on the composite credential;
Authenticate one or more signed versions of the composite credential and the user credential; And
Adapted to generate a trust metric for the user based upon the one or more signers upon successful authentication,
Receiver device. 40. The method of claim 39,
The user entitlement is a user public key,
Receiver device. 40. The method of claim 39,
The processing circuit is further adapted to receive a signer weight for each of the one or more signers,
Receiver device. 42. The method of claim 41,
A confidence metric for the user is generated based on received signer weights for the one or more signers,
Receiver device. 40. The method of claim 39,
The processing circuit comprising:
Further adapted to assign a recipient-assigned signer weight to each of one or more signed versions of the user entitlement,
Each recipient-assigned signer weight corresponds to a signer of each of the signed versions of the user entitlement,
Receiver device. As the receiver device,
Means for receiving a composite credential comprising one or more signed versions of the user credential signed by one or more signers in a user credential and social network and a user signature on the composite credential;
Means for authenticating the user entitlement and one or more signed versions of the user entitlement; And
Means for generating a trust metric for the user based upon the one or more signers upon successful authentication,
Receiver device. 45. The method of claim 44,
Means for receiving signer weights for each of the one or more signers,
A confidence metric for the user is generated based on received signer weights for the one or more signers,
Receiver device. 45. The method of claim 44,
Means for assigning a recipient-assigned signer weight to each of one or more signed versions of the user entitlement,
Each recipient-assigned signer weight corresponds to a signer of each of the signed versions of the user entitlement,
Receiver device. A processor readable medium having one or more instructions operable at a receiver device, the processor readable medium comprising:
When the one or more instructions are executed by one or more processors, the one or more processors cause:
Receive at the recipient device a composite credential including one or more signed versions of the user credential signed by one or more signers in a user credential and social network, and a user signature on the composite credential;
Authenticate one or more signed versions of the composite credential and the user credential; And
Generate a trust metric for the user based upon the one or more signers upon successful authentication,
Processor Readable Media. 49. The method of claim 47,
When executed by one or more processors, the one or more processors cause:
Further having one or more instructions operable at the recipient device, to receive a signer weight for each of the one or more signers,
A confidence metric for the user is generated based on received signer weights for the one or more signers,
Processor Readable Media. 49. The method of claim 47,
When executed by one or more processors, the one or more processors cause:
Further having one or more instructions operable at the recipient device, to assign a recipient-assigned signer weight to each version of signed received user entitlements,
Each recipient-assigned signer weight corresponds to the signer of each signed received user entitlement,
Processor Readable Media.

Images